Karen A. Scarfone

An analysis of CVSS version 2 vulnerability scoring

The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.

Improving the Common Vulnerability Scoring System

The Common Vulnerability Scoring System is an emerging standard for scoring the impact of vulnerabilities. The results of an analysis of the scoring system and that of an experiment scoring a large set of vulnerabilities using the standard are presented. Although the scoring system was found to be useful, it contains a variety of deficiencies that limit its ability to measure the impact of vulnerabilities. The study demonstrates how these deficiencies could be addressed in subsequent versions of the standard and how these changes are backwards-compatible with the existing scoring efforts. In conclusion a recommendation for a revised scoring system and an analysis of experiments that demonstrate how the revision would address deficiencies discovered in the existing version of the standard are presented.

Intrusion Detection and Prevention Systems

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an IDS and can also attempt to stop possible incidents. IDS and IPS technologies offer many of the same capabilities, and administrators can usually disable prevention features in IPS products, causing them to function as IDSs. Accordingly, for brevity the term intrusion detection and prevention systems (IDPSs) is used throughout the rest of this chapter to refer to both IDS and IPS technologies. Any exceptions are specifically noted.

Guidelines for securing Wireless Local Area Networks (WLANs)

A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component?including client devices, access points (AP), and wireless switches?is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring. The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and strengthening their key recommendations.

Access Control Policy Combinations for the Grid Using the Policy Machine

Many researchers have tackled the architecture and requirements aspects of grid security, concentrating on the authentication or authorization mediation instead of authorization techniques, especially the topic of policy combination. Policy combination is an essential requirement of grid, not only because of the required remote (or global) vs. local interaction between grid members, but also the dynamic scalability nature of handling the joining and leaving of grid membership. However, evolving from the general security requirements of grid, the independency of a grid members access control system is critical and needs to be maintained when the access decision is determined by the combination of global and local access control policies. The Policy Machine (PM) provides features which not only can meet the significant independency requirement but also have better performance, easier management, and more straightforward policy expression than most of the popular policy combination techniques for grid.

Guide to Securing Legacy IEEE 802.11 Wireless Networks

(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nations measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITLs responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITLs research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

A framework for measuring the vulnerability of hosts

This paper proposes a framework for measuring the vulnerability of individual hosts based on current and historical operational data for vulnerabilities and attacks. Previous approaches have not been scalable because they relied on complex manually constructed models, and most approaches have examined software flaws only, not other vulnerabilities such as software misconfiguration and software feature misuse. The framework uses a highly automatable metrics-based approach, producing rapid and consistent measurements for quantitative risk assessment and for attack and vulnerability modeling. In this paper, we propose the framework and its components and describe the work needed to implement them.

Vulnerability scoring for security configuration settings

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted for use with a different type of vulnerability: security configuration settings. We have identified significant differences in scoring configuration settings and software flaws and have proposed methods for accommodating those differences. We also generated scores for 187 configuration settings to evaluate the new specification.

Real-Time Access Control Rule Fault Detection Using a Simulated Logic Circuit

Access control (AC) policies can be implemented based on different AC models, which are fundamentally composed by semantically independent AC rules in expressions of privilege assignments described by attributes of subjects/attributes, actions, objects/attributes, and environment variables of the protected systems. Incorrect implementations of AC policies result in faults that not only leak but also disable access of information, and faults in AC policies are difficult to detect without support of verification or automatic fault detection mechanisms. This research proposes an automatic method through the construction of a simulated logic circuit that simulates AC rules in AC policies or models. The simulated logic circuit allows real-time detection of policy faults including conflicts of privilege assignments, leaks of information, and conflicts of interest assignments. Such detection is traditionally done by tools that perform verification or testing after all the rules of the policy/model are completed, and it provides no information about the source of verification errors. The real-time fault detecting capability proposed by this research allows a rule fault to be detected and fixed immediately before the next rule is added to the policy/model, thus requiring no later verification and saving a significant amount of fault fixing time.

Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist

This publication assists IT professionals in securing Windows XP workstations, mobile computers, and computers used by telecommuters within various environments. The recommendations are specifically intended for Windows XP Professional systems running Service Pack 2 or 3. SP 800-68 Revision 1 provides detailed information about the security features of Windows XP and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of Windows XP systems in five types of environments: small office/home office, enterprise, specialized security-limited functionality, legacy, and Federal Desktop Core Configuration (FDCC).